[Pcre-svn] [1126] code/trunk: Check for integer overflow whe…

Páxina inicial
Borrar esta mensaxe
Autor: Subversion repository
Data:  
Para: pcre-svn
Asunto: [Pcre-svn] [1126] code/trunk: Check for integer overflow when computing lookbehind lengths.
Revision: 1126
          http://www.exim.org/viewvc/pcre2?view=rev&revision=1126
Author:   ph10
Date:     2019-07-04 18:01:53 +0100 (Thu, 04 Jul 2019)
Log Message:
-----------
Check for integer overflow when computing lookbehind lengths. Fixes Clusterfuzz 
issue 13656.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/ChangeLog    2019-07-04 17:01:53 UTC (rev 1126)
@@ -85,7 +85,10 @@


16. Give error if pcre2test -t, -T, -tm or -TM is given an argument of zero.

+17. Check for integer overflow when computing lookbehind lengths. Fixes
+Clusterfuzz issue 15636.

+
Version 10.33 16-April-2019
---------------------------


Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c    2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/src/pcre2_compile.c    2019-07-04 17:01:53 UTC (rev 1126)
@@ -9269,8 +9269,26 @@
     case META_MINMAX_QUERY:
     if (pptr[1] == pptr[2])
       {
-      if (pptr[1] == 0) branchlength -= lastitemlength;
-        else itemlength = (pptr[1] - 1) * lastitemlength;
+      switch(pptr[1])
+        {
+        case 0:
+        branchlength -= lastitemlength;
+        break;
+
+        case 1:
+        itemlength = 0;
+        break;
+
+        default:  /* Check for integer overflow */
+        if (lastitemlength != 0 &&  /* Should not occur, but just in case */
+            INT_MAX/lastitemlength < pptr[1] - 1)
+          {
+          *errcodeptr = ERR87;  /* Integer overflow; lookbehind too big */
+          return -1;
+          }
+        itemlength = (pptr[1] - 1) * lastitemlength;
+        break;
+        }
       pptr += 2;
       break;
       }
@@ -9284,19 +9302,19 @@
     return -1;
     }


- /* Add the item length to the branchlength, and save it for use if the next
- thing is a quantifier. */
+ /* Add the item length to the branchlength, checking for integer overflow and
+ for the branch length exceeding the limit. */

-  branchlength += itemlength;
-  lastitemlength = itemlength;
-
-  /* Ensure that the length does not overflow the limit. */
-
-  if (branchlength > LOOKBEHIND_MAX)
+  if (INT_MAX - branchlength < (int)itemlength ||
+      (branchlength += itemlength) > LOOKBEHIND_MAX)
     {
     *errcodeptr = ERR87;
     return -1;
     }
+
+  /* Save this item length for use if the next item is a quantifier. */
+
+  lastitemlength = itemlength;
   }


EXIT:

Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/testdata/testinput2    2019-07-04 17:01:53 UTC (rev 1126)
@@ -5647,4 +5647,6 @@


/(?<=(?<=a)b)(?<!abcd)(?<=(?<=a)bcde)/I

+/( {32742} {42})(?<!\1{65481})/
+
# End of testinput2

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/testdata/testoutput2    2019-07-04 17:01:53 UTC (rev 1126)
@@ -17078,6 +17078,9 @@
 May match empty string
 Subject length lower bound = 0


+/( {32742} {42})(?<!\1{65481})/
+Failed: error 187 at offset 15: lookbehind assertion is too long
+
# End of testinput2
Error -70: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data